Bugtraq mailing list archives
FTP compromise.
From: aleph1 () dfw net (Aleph One)
Date: Tue, 9 Sep 1997 09:45:43 -0500
---------- Forwarded message ---------- Date: Tue, 9 Sep 1997 14:43:46 +0100 From: Josef Karthauser <joe () pavilion net> To: security () FreeBSD ORG Subject: FTP compromise. I found this today. Any comments? BUG: wu_ftpd (all versions) TESTED: BSDI 3.0 (all patches), FreeBSD 2.2.1 DATE: 15th Aug 1997 REPEAT BY: Log into a wu_ftp server (either anonymously or as a user) and issue the command... nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*../*../* DESCRIPTION: You can severly compromise the ftp servers performance. This command will create a HUGE directory listing, no matter how many files/directories are in the current directory (this is recursive). CONSEQUENCES: These vary. On my FreeBSD 2.2 box I was able to eat up all memory and swap memory until the kernel spewed "out of swap space" errors and killed a few processes. It also eats up all available CPU space (up to 99.22% on my box). If repeated a few times you will no longer use up swap space and the processor usage will rocket and stay there for quite a while (hours). Since the ftpd program is still processing the command your ftp session will not idle timeout. However, if you do decide to kill your attacking ftp session, ftpd will still process teh command and therefore, the hosts resources will take a beating. Basically, it looks like any user can severely drain your systems resources - a kind of Denial of Service attack. I was able to use up all remaining processor time for two hours (would have gone on for much longer only I got bored and kill it). CONTACT: You can email me at ener () shell firehouse net if you want to discuss this problem further (or let me know if it works on any other ftpd). -- Josef Karthauser Technical Manager Email: joe () pavilion net Pavilion Internet plc. [Tel: +44 1273 607072 Fax: +44 1273 607073]
Current thread:
- Re: stealth port scanning Fyodor (Sep 08)
- Re: stealth port scanning Duncan Simpson (Sep 08)
- Re: stealth port scanning Alan Cox (Sep 08)
- Security Bulletins Digest Aleph One (Sep 09)
- AIX bugfiler Aleph One (Sep 09)
- FTP compromise. Aleph One (Sep 09)
- OpenBSD Security Advisory: BSD I/O Signals Thomas H. Ptacek (Sep 14)
- Re: OpenBSD Security Advisory: BSD I/O Signals Alan Cox (Sep 15)
- Small bug in screen-3.7.1 gershwin (Sep 15)